티스토리 뷰
728x90
반응형
서론
Docker는 Container를 기동하는 표준으로써 오랜기간 자리잡아 왔다. 특히 Kubernetes가 Docker를 Runtime Container로 활용하면서 그 위상은 점점 커져왔다. 그 위상은 지속될 것이라 생각해 왔고, 여전히 최선의 방법이자, 최고의 방법이지만, 최근 Docker의 CE 버전 중단 선언, 무거운 기능, SPOF 등의 문제들이 계속 대두되며, 다양한 Runtime Container 들이 대안으로써 떠오르고 있다. 특히 Kubernetes에서 정식으로 Docker 이외에 RKT, Containerd 그리고 오늘 알아볼 CRI-O 등을 Runtime Container로 채택하며, Docker의 자리를 위협하고 있다.
Docker 단점
1) High & Low Level Runtime Container
Docker Runtime Container는 High Level & Row Level Runtime Container를 포함하는 완전한 형태를 갖고 있다. 이는 장점이라고도 볼 수 있지만, High Level Container 역할을 하는 Docker daemon(Docker Server)와 Row Level Container 역할을 하는 Docker CLI(Client) 간의 통신으로 구성되어 있어 둘 중 하나의 기능만을 원한 경우 또는 Client의 특정 기능(컨테이너 기동, 도커 이미지 빌드, 이미지 pull & push 등)만을 사용하고자 할 경우에도 전체를 구성하여 활용해야 한다는 단점이 존재한다.
2) SPOF
Docker daemon(Docker Server)은 Daemon 하위에 여러 Container를 기동하고 관리한다. 특히 Kubernetes의 Master / Worker 노드에 구성된 Docker Daemon에 장애가 발생할 경우 Kubernetes 전체로 장애가 전파 될 수 있다. 이는 Single Point Of Failure를 대표하는 장애 포인트가 될 수 있다.
3) Audit
Linux Kernel에는 Audit이라는 기능이 존재한다. 이를 통해 관리자는 시스템의 보안 이벤트를 감시하고 외부로부터의 침입을 감시하는 역할을 수행한다. 이는 로그인 UID 추적 기능을 통해 감시할 수 있다.
/proc/self/loginuid에 저장되는 loginuid 필드는 시스템의 모든 프로세스에 대한 proc 구조체의 일부이다. 이 필드는 한 번만 설정할 수 있다. 설정된 후에는 커널이 프로세스를 재설정하는 것을 허용하지 않는다. 개인의 uid는 다음과 같이 확인할 수 있다.
[ec2-user@ip-192-168-114-198 ~]$ id uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),4(adm),10(wheel),190(systemd-journal) [ec2-user@ip-192-168-114-198 ~]$ cat /proc/self/loginuid 1000 [ec2-user@ip-192-168-114-198 ~]$ sudo su - Last login: Tue Dec 29 14:21:36 UTC 2020 on pts/0 [root@ip-192-168-114-198 ~]# cat /proc/self/loginuid 1000 [root@ip-192-168-114-198 ~]# su - nrson Last login: Tue Dec 29 14:21:48 UTC 2020 on pts/0 [nrson@ip-192-168-114-198 ~]$ cat /proc/self/loginuid 1000 [nrson@ip-192-168-114-198 ~]$
위와 같이 ec2-user로 로그인을 하게 되면, uid(1000)가 발급되고, 발급된 uid는 계정이 변경되어도 그대로 유지된다. (ec2-user > root > nrson) 이는 초기 로그인 프로세스에서 분기되고 실행되는 모든 프로세스는 자동으로 loginuid를 상속하여, 커널이 로그인 한 사람이 ec2-user라는 것을 알게 하는 감시 방법이다.
이제 확인하고자 하는 내용은 이 audit을 방해하는 docker에 대한 내용에 대해 알아보고자 한다.
[root@ip-192-168-114-198 cri-o]# sudo docker run fedora cat /proc/self/loginuid 4294967295 [root@ip-192-168-114-198 cri-o]# sudo podman run fedora cat /proc/self/loginuid 1000 [root@ip-192-168-114-198 cri-o]#
위는 docker와 podman으로 각각 기동 후 loginuid를 확인하는 과정이다.
Docker는 클라이언트/서버 모델을 사용한다. 내가 실행한 docker 명령은 Docker 클라이언트 도구이며 클라이언트/서버 작업을 통해 Docker 데몬과 통신한다. 그런 다음 Docker 데몬은 컨테이너를 만들고 Docker 클라이언트 도구에 대한 stdin / stdout 통신을 다시 처리한다. Podman은 컨테이너에 대해 전통적인 fork / exec 모델을 사용하므로 컨테이너 프로세스는 Podman 프로세스의 Child이다.
프로세스의 기본 loginuid (loginuid가 설정되기 전)는 4294967295이다. 컨테이너는 Docker daemon의 child이고 Docker daemon은 init 시스템의 child이므로 systemd, Docker daemon 및 컨테이너가 모두 동일한 loginuid로 처리하는 것을 볼 수 있다. 이는 감사 대상에서 제외됨을 알 수 있다. 이는 Docker Container를 관리하는 주체가 누구인지? Docker를 다운하거나, 악의적으로 Container를 조작하는 등의 일이 발생해도 audit.log를 통해 확인할 수 있는 방법이 없다는 것을 의미한다. Podman의 경우 전통적인 fork / exec 모델을 사용하여 audit.log가 정상적으로 기록된다.
위와 같은 문제가 발생하고 있음에도 불구하고, 여전히 Docker를 사용하는 것은 편의성과 익숙함에 있다고 볼 수 있다. 오랜 시간 Docker에 익숙해져 왔기 때문에 한번에 CRI-O로 전환하는 것은 문제가 있다. 또한 아직은 CRI-O가 성숙도가 떨어진다는 이유도 들 수 있다. 많은 부분에서 불편함을 아직은 느낄 수 있고, DaemonLess를 장점으로 이야기하고 있지만, 여전히 구성이 어렵다는 문제 등이 있다.
하지만, Docker 진영의 유료화 선언은 오픈소스 진영에서 언젠가 찾아올 시점에 대비해야 할 것이다. 벌써 몇년 전이긴하지만, JDK의 유료화 선언에 맞먹는 시기가 오지 않을까 싶다.
지금부터는 Docker 유료화 대비하여 최근 많이 떠오르고 있는 Runtime Container인 CRI-O, Podman, Buildah, Skopeo에 대한 활용 방안에 대해 알아보도록 하자.
Podman : 컨테이너 실행
podman은 컨테이너 및 컨테이너 이미지를 실행하고 관리 할 수 있다. docker와 동일한 기능과 명령 옵션의 대부분을 지원하지만 차이점은 podman은 docker 또는 다른 활성 컨테이너 런타임이 필요하지 않다는 것이다.
1. podman install
[root@ip-192-168-114-198 ~]# sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 359 100 359 0 0 237 0 0:00:01 0:00:01 --:--:-- 237
[root@ip-192-168-114-198 ~]# sudo yum -y install yum-plugin-copr
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
devel_kubic_libcontainers_stable | 1.3 kB 00:00:00
devel_kubic_libcontainers_stable/primary | 12 kB 00:00:01
devel_kubic_libcontainers_stable 36/36
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-copr.noarch 0:1.1.31-46.amzn2.0.1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================================================================
Installing:
yum-plugin-copr noarch 1.1.31-46.amzn2.0.1 amzn2-core 32 k
Transaction Summary
================================================================================================================================================================================================
Install 1 Package
Total download size: 32 k
Installed size: 40 k
Downloading packages:
yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch.rpm | 32 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch 1/1
Verifying : yum-plugin-copr-1.1.31-46.amzn2.0.1.noarch 1/1
Installed:
yum-plugin-copr.noarch 0:1.1.31-46.amzn2.0.1
Complete!
[root@ip-192-168-114-198 ~]# sudo yum -y copr enable lsm5/container-selinux
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
copr done
[root@ip-192-168-114-198 ~]# sudo yum -y install podman
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
copr:copr.fedorainfracloud.org:lsm5:container-selinux | 3.3 kB 00:00:00
copr:copr.fedorainfracloud.org:lsm5:container-selinux/x86_64/primary_db | 2.5 kB 00:00:00
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package podman.x86_64 0:2.2.1-1.el7 will be installed
--> Processing Dependency: podman-plugins = 2.2.1-1.el7 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: slirp4netns >= 0.3.0-2 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: containers-common >= 2:1.2.0-9 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: containernetworking-plugins >= 0.8.6-1 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: conmon >= 2:2.0.18-1 for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: nftables for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: container-selinux for package: podman-2.2.1-1.el7.x86_64
--> Processing Dependency: catatonit for package: podman-2.2.1-1.el7.x86_64
--> Running transaction check
---> Package catatonit.x86_64 0:0.1.5-1.el7 will be installed
---> Package conmon.x86_64 2:2.0.21-1.el7 will be installed
---> Package container-selinux.noarch 2:2.107-3.el7 will be installed
--> Processing Dependency: policycoreutils-python for package: 2:container-selinux-2.107-3.el7.noarch
---> Package containernetworking-plugins.x86_64 0:0.9.0-1.el7 will be installed
---> Package containers-common.x86_64 2:1.2.0-15.el7 will be installed
---> Package nftables.x86_64 1:0.9.0-14.amzn2.0.1 will be installed
--> Processing Dependency: libnftnl.so.11(LIBNFTNL_11)(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
--> Processing Dependency: libnftnl.so.11()(64bit) for package: 1:nftables-0.9.0-14.amzn2.0.1.x86_64
---> Package podman-plugins.x86_64 0:2.2.1-1.el7 will be installed
--> Processing Dependency: dnsmasq for package: podman-plugins-2.2.1-1.el7.x86_64
---> Package slirp4netns.x86_64 0:1.1.8-1.el7 will be installed
--> Processing Dependency: libslirp.so.0(SLIRP_4.1)(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Processing Dependency: libslirp.so.0(SLIRP_4.0)(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Processing Dependency: libslirp.so.0()(64bit) for package: slirp4netns-1.1.8-1.el7.x86_64
--> Running transaction check
---> Package dnsmasq.x86_64 0:2.76-16.amzn2.0.1 will be installed
---> Package libnftnl.x86_64 0:1.1.5-4.amzn2 will be installed
---> Package libslirp.x86_64 0:4.3.1-2.el7 will be installed
---> Package policycoreutils-python.x86_64 0:2.5-22.amzn2 will be installed
--> Processing Dependency: setools-libs >= 3.3.8-2 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libsemanage-python >= 2.5-9 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: audit-libs-python >= 2.1.3-4 for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: python-IPy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libselinux-python for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.4)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1(VERS_1.2)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4(VERS_4.0)(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: checkpolicy for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libqpol.so.1()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Processing Dependency: libapol.so.4()(64bit) for package: policycoreutils-python-2.5-22.amzn2.x86_64
--> Running transaction check
---> Package audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 will be installed
---> Package checkpolicy.x86_64 0:2.5-6.amzn2 will be installed
---> Package libselinux-python.x86_64 0:2.5-12.amzn2.0.2 will be installed
---> Package libsemanage-python.x86_64 0:2.5-11.amzn2 will be installed
---> Package python-IPy.noarch 0:0.75-6.amzn2.0.1 will be installed
---> Package setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================================================================
Installing:
podman x86_64 2.2.1-1.el7 devel_kubic_libcontainers_stable 21 M
Installing for dependencies:
audit-libs-python x86_64 2.8.1-3.amzn2.1 amzn2-core 79 k
catatonit x86_64 0.1.5-1.el7 devel_kubic_libcontainers_stable 326 k
checkpolicy x86_64 2.5-6.amzn2 amzn2-core 294 k
conmon x86_64 2:2.0.21-1.el7 devel_kubic_libcontainers_stable 37 k
container-selinux noarch 2:2.107-3.el7 copr:copr.fedorainfracloud.org:lsm5:container-selinux 39 k
containernetworking-plugins x86_64 0.9.0-1.el7 devel_kubic_libcontainers_stable 38 M
containers-common x86_64 2:1.2.0-15.el7 devel_kubic_libcontainers_stable 87 k
dnsmasq x86_64 2.76-16.amzn2.0.1 amzn2-core 278 k
libnftnl x86_64 1.1.5-4.amzn2 amzn2-core 75 k
libselinux-python x86_64 2.5-12.amzn2.0.2 amzn2-core 237 k
libsemanage-python x86_64 2.5-11.amzn2 amzn2-core 115 k
libslirp x86_64 4.3.1-2.el7 devel_kubic_libcontainers_stable 60 k
nftables x86_64 1:0.9.0-14.amzn2.0.1 amzn2-core 252 k
podman-plugins x86_64 2.2.1-1.el7 devel_kubic_libcontainers_stable 2.4 M
policycoreutils-python x86_64 2.5-22.amzn2 amzn2-core 454 k
python-IPy noarch 0.75-6.amzn2.0.1 amzn2-core 32 k
setools-libs x86_64 3.3.8-2.amzn2.0.2 amzn2-core 618 k
slirp4netns x86_64 1.1.8-1.el7 devel_kubic_libcontainers_stable 47 k
Transaction Summary
================================================================================================================================================================================================
Install 1 Package (+18 Dependent packages)
Total download size: 64 M
Installed size: 159 M
Downloading packages:
(1/19): audit-libs-python-2.8.1-3.amzn2.1.x86_64.rpm | 79 kB 00:00:00
(2/19): checkpolicy-2.5-6.amzn2.x86_64.rpm | 294 kB 00:00:00
warning: /var/cache/yum/x86_64/2/copr:copr.fedorainfracloud.org:lsm5:container-selinux/packages/container-selinux-2.107-3.el7.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID 2e35d101: NOKEYA
Public key for container-selinux-2.107-3.el7.noarch.rpm is not installed
(3/19): container-selinux-2.107-3.el7.noarch.rpm | 39 kB 00:00:00
warning: /var/cache/yum/x86_64/2/devel_kubic_libcontainers_stable/packages/conmon-2.0.21-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 75060aa4: NOKEY59 kB/s | 435 kB 00:04:12 ETA
Public key for conmon-2.0.21-1.el7.x86_64.rpm is not installed
(4/19): conmon-2.0.21-1.el7.x86_64.rpm | 37 kB 00:00:02
(5/19): catatonit-0.1.5-1.el7.x86_64.rpm | 326 kB 00:00:03
(6/19): dnsmasq-2.76-16.amzn2.0.1.x86_64.rpm | 278 kB 00:00:00
(7/19): libselinux-python-2.5-12.amzn2.0.2.x86_64.rpm | 237 kB 00:00:00
(8/19): libnftnl-1.1.5-4.amzn2.x86_64.rpm | 75 kB 00:00:00
(9/19): libsemanage-python-2.5-11.amzn2.x86_64.rpm | 115 kB 00:00:00
(10/19): containers-common-1.2.0-15.el7.x86_64.rpm | 87 kB 00:00:00
(11/19): nftables-0.9.0-14.amzn2.0.1.x86_64.rpm | 252 kB 00:00:00
(12/19): libslirp-4.3.1-2.el7.x86_64.rpm | 60 kB 00:00:00
(13/19): podman-2.2.1-1.el7.x86_64.rpm | 21 MB 00:00:04
(14/19): policycoreutils-python-2.5-22.amzn2.x86_64.rpm | 454 kB 00:00:00
(15/19): python-IPy-0.75-6.amzn2.0.1.noarch.rpm | 32 kB 00:00:00
(16/19): setools-libs-3.3.8-2.amzn2.0.2.x86_64.rpm | 618 kB 00:00:00
(17/19): podman-plugins-2.2.1-1.el7.x86_64.rpm | 2.4 MB 00:00:01
(18/19): slirp4netns-1.1.8-1.el7.x86_64.rpm | 47 kB 00:00:00
(19/19): containernetworking-plugins-0.9.0-1.el7.x86_64.rpm | 38 MB 00:00:10
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 4.9 MB/s | 64 MB 00:00:13
Retrieving key from https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/repodata/repomd.xml.key
Importing GPG key 0x75060AA4:
Userid : "devel:kubic OBS Project <devel:kubic@build.opensuse.org>"
Fingerprint: 2472 d6d0 d2f6 6af8 7aba 8da3 4d64 3903 7506 0aa4
From : https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/repodata/repomd.xml.key
Retrieving key from https://download.copr.fedorainfracloud.org/results/lsm5/container-selinux/pubkey.gpg
Importing GPG key 0x2E35D101:
Userid : "lsm5_container-selinux (None) <lsm5#container-selinux@copr.fedorahosted.org>"
Fingerprint: 2df0 be4e 8ae0 f74c 44fb 55e5 2f94 c97f 2e35 d101
From : https://download.copr.fedorainfracloud.org/results/lsm5/container-selinux/pubkey.gpg
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : checkpolicy-2.5-6.amzn2.x86_64 1/19
Installing : audit-libs-python-2.8.1-3.amzn2.1.x86_64 2/19
Installing : python-IPy-0.75-6.amzn2.0.1.noarch 3/19
Installing : containernetworking-plugins-0.9.0-1.el7.x86_64 4/19
Installing : libslirp-4.3.1-2.el7.x86_64 5/19
Installing : slirp4netns-1.1.8-1.el7.x86_64 6/19
Installing : catatonit-0.1.5-1.el7.x86_64 7/19
Installing : 2:conmon-2.0.21-1.el7.x86_64 8/19
Installing : setools-libs-3.3.8-2.amzn2.0.2.x86_64 9/19
Installing : libselinux-python-2.5-12.amzn2.0.2.x86_64 10/19
Installing : libsemanage-python-2.5-11.amzn2.x86_64 11/19
Installing : policycoreutils-python-2.5-22.amzn2.x86_64 12/19
Installing : 2:container-selinux-2.107-3.el7.noarch 13/19
setsebool: SELinux is disabled.
Failed to resolve allow statement at /etc/selinux/targeted/tmp/modules/200/container/cil:1121
/usr/sbin/semodule: Failed!
Error loading SELinux module.
/var/tmp/rpm-tmp.Q1oxhe: line 12: return: can only `return' from a function or sourced script
Installing : dnsmasq-2.76-16.amzn2.0.1.x86_64 14/19
Installing : 2:containers-common-1.2.0-15.el7.x86_64 15/19
Installing : libnftnl-1.1.5-4.amzn2.x86_64 16/19
Installing : 1:nftables-0.9.0-14.amzn2.0.1.x86_64 17/19
Installing : podman-plugins-2.2.1-1.el7.x86_64 18/19
Installing : podman-2.2.1-1.el7.x86_64 19/19
Verifying : podman-2.2.1-1.el7.x86_64 1/19
Verifying : libnftnl-1.1.5-4.amzn2.x86_64 2/19
Verifying : 2:containers-common-1.2.0-15.el7.x86_64 3/19
Verifying : dnsmasq-2.76-16.amzn2.0.1.x86_64 4/19
Verifying : slirp4netns-1.1.8-1.el7.x86_64 5/19
Verifying : libsemanage-python-2.5-11.amzn2.x86_64 6/19
Verifying : libselinux-python-2.5-12.amzn2.0.2.x86_64 7/19
Verifying : setools-libs-3.3.8-2.amzn2.0.2.x86_64 8/19
Verifying : 2:container-selinux-2.107-3.el7.noarch 9/19
Verifying : policycoreutils-python-2.5-22.amzn2.x86_64 10/19
Verifying : 2:conmon-2.0.21-1.el7.x86_64 11/19
Verifying : catatonit-0.1.5-1.el7.x86_64 12/19
Verifying : podman-plugins-2.2.1-1.el7.x86_64 13/19
Verifying : libslirp-4.3.1-2.el7.x86_64 14/19
Verifying : containernetworking-plugins-0.9.0-1.el7.x86_64 15/19
Verifying : 1:nftables-0.9.0-14.amzn2.0.1.x86_64 16/19
Verifying : python-IPy-0.75-6.amzn2.0.1.noarch 17/19
Verifying : audit-libs-python-2.8.1-3.amzn2.1.x86_64 18/19
Verifying : checkpolicy-2.5-6.amzn2.x86_64 19/19
Installed:
podman.x86_64 0:2.2.1-1.el7
Dependency Installed:
audit-libs-python.x86_64 0:2.8.1-3.amzn2.1 catatonit.x86_64 0:0.1.5-1.el7 checkpolicy.x86_64 0:2.5-6.amzn2 conmon.x86_64 2:2.0.21-1.el7
container-selinux.noarch 2:2.107-3.el7 containernetworking-plugins.x86_64 0:0.9.0-1.el7 containers-common.x86_64 2:1.2.0-15.el7 dnsmasq.x86_64 0:2.76-16.amzn2.0.1
libnftnl.x86_64 0:1.1.5-4.amzn2 libselinux-python.x86_64 0:2.5-12.amzn2.0.2 libsemanage-python.x86_64 0:2.5-11.amzn2 libslirp.x86_64 0:4.3.1-2.el7
nftables.x86_64 1:0.9.0-14.amzn2.0.1 podman-plugins.x86_64 0:2.2.1-1.el7 policycoreutils-python.x86_64 0:2.5-22.amzn2 python-IPy.noarch 0:0.75-6.amzn2.0.1
setools-libs.x86_64 0:3.3.8-2.amzn2.0.2 slirp4netns.x86_64 0:1.1.8-1.el7
Complete!
[root@ip-192-168-114-198 ~]#2. help
[root@ip-192-168-114-198 ~]# podman --help
Manage pods, containers and images
Usage:
podman [options] [command]
Available Commands:
attach Attach to a running container
auto-update Auto update containers according to their auto-update policy
build Build an image using instructions from Containerfiles
commit Create new image based on the changed container
container Manage containers
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Display the changes to the object's file system
events Show podman events
exec Run a process in a running container
export Export container's filesystem contents as a tar archive
generate Generate structured data based on containers and pods.
healthcheck Manage health checks on containers
help Help about any command
history Show history of a specified image
image Manage images
images List images in local storage
import Import a tarball to create a filesystem image
info Display podman system information
init Initialize one or more containers
inspect Display the configuration of object denoted by ID
kill Kill one or more running containers with a specific signal
load Load image(s) from a tar archive
login Login to a container registry
logout Logout of a container registry
logs Fetch the logs of one or more containers
manifest Manipulate manifest lists and image indexes
mount Mount a working container's root filesystem
network Manage networks
pause Pause all the processes in one or more containers
play Play a pod and its containers from a structured file.
pod Manage pods
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry
push Push an image to a specified destination
restart Restart one or more containers
rm Remove one or more containers
rmi Removes one or more images from local storage
run Run a command in a new container
save Save image(s) to an archive
search Search registry for image
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
system Manage podman
tag Add an additional name to a local image
top Display the running processes of a container
unmount Unmounts working container's root filesystem
unpause Unpause the processes in one or more containers
unshare Run a command in a modified user namespace
untag Remove a name from a local image
version Display the Podman Version Information
volume Manage volumes
wait Block on one or more containers
Options:
--cgroup-manager string Cgroup manager to use ("cgroupfs"|"systemd") (default "systemd")
--cni-config-dir string Path of the configuration directory for CNI networks (default "/usr/libexec/cni")
--conmon string Path of the conmon binary
-c, --connection string Connection to use for remote Podman service
--events-backend string Events backend to use ("file"|"journald"|"none") (default "journald")
--help Help for podman
--hooks-dir strings Set the OCI hooks directory path (may be set multiple times) (default [/usr/share/containers/oci/hooks.d])
--identity string path to SSH identity file, (CONTAINER_SSHKEY)
--log-level string Log messages above specified level (debug, info, warn, error, fatal, panic) (default "error")
--namespace string Set the libpod namespace, used to create separate views of the containers and pods on the system
--network-cmd-path string Path to the command for configuring the network
-r, --remote Access remote Podman service (default false)
--root string Path to the root directory in which data, including images, is stored
--runroot string Path to the 'run directory' where all state information is stored
--runtime string Path to the OCI-compatible binary used to run containers, default is /usr/bin/runc
--runtime-flag stringArray add global flags for the container runtime
--storage-driver string Select which storage driver is used to manage storage of images and containers (default is overlay)
--storage-opt stringArray Used to pass an option to the storage driver
--syslog Output logging information to syslog as well as the console (default false)
--tmpdir string Path to the tmp directory for libpod state content.
Note: use the environment variable 'TMPDIR' to change the temporary storage location for container images, '/var/tmp'.
--url string URL to access Podman service (CONTAINER_HOST) (default "unix:/run/podman/podman.sock")
-v, --version version for podman
[root@ip-192-168-114-198 ~]#3. TroubleShooting
a. invalid argument metacopy
[root@ip-192-168-114-198 ~]# podman version Error: failed to mount overlay for metacopy check with "nodev,metacopy=on" options: invalid argument [root@ip-192-168-114-198 ~]#
위와 같은 에러와 함께 podman command가 실행되지 않을 경우
[root@ip-192-168-114-198 ~]# vi /etc/containers/storage.conf [root@ip-192-168-114-198 ~]# #mountopt = "nodev,metacopy=on" [root@ip-192-168-114-198 ~]#
위 라인을 찾아 주석으로 막아 준다.
[root@ip-192-168-114-198 ~]# podman version Version: 2.2.1 API Version: 2.1.0 Go Version: go1.15.5 Built: Wed Dec 9 18:33:46 2020 OS/Arch: linux/amd64 [root@ip-192-168-114-198 ~]#
이후 위와 같이 다시 command를 실행해 보면 정상 동작하는 것을 확인할 수 있다.
b. error adding seccomp rule for syscall socket
[root@ip-192-168-114-198 ~]# podman run -itd --name fedora fedora /bin/bash Error: OCI runtime error: container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" [root@ip-192-168-114-198 ~]#
위와 같은 에러와 함께 podman run이 실행되지 않을 경우
[root@ip-192-168-114-198 ~]# podman run -itd --security-opt=seccomp=unconfined --name fedora fedora /bin/bash 1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9 [root@ip-192-168-114-198 ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1a005abd9ae8 registry.fedoraproject.org/fedora:latest /bin/bash 7 seconds ago Up 6 seconds ago fedora [root@ip-192-168-114-198 ~]#
yum update를 진행하여 버전을 맞춰주거나, --security-opt=seccomp=unconfined 옵션을 추가하여 우회할 수 있다. 가능하면 yum update를 권고한다.
4. podman cli
a. images registry 위치 (registries.conf.d/shortnames.conf)
[root@ip-192-168-114-198 ~]# vi /etc/containers/registries.conf.d/shortnames.conf [aliases] # centos "centos" = "registry.centos.org/centos" # containers "skopeo" = "quay.io/skopeo/stable" "buildah" = "quay.io/buildah/stable" "podman" = "quay.io/podman/stable" # docker "alpine" = "docker.io/library/alpine" "docker" = "docker.io/library/docker" "registry" = "docker.io/library/registry" "hello-world" = "docker.io/library/hello-world" "swarm" = "docker.io/library/swarm" # Fedora "fedora-minimal" = "registry.fedoraproject.org/fedora-minimal" "fedora" = "registry.fedoraproject.org/fedora" # openSUSE "opensuse/tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" "opensuse/leap" = "registry.opensuse.org/opensuse/leap" "opensuse/busybox" = "registry.opensuse.org/opensuse/busybox" "tumbleweed" = "registry.opensuse.org/opensuse/tumbleweed" "leap" = "registry.opensuse.org/opensuse/leap" "tw-busybox" = "registry.opensuse.org/opensuse/busybox" # SUSE "suse/sle15" = "registry.suse.com/suse/sle15" "suse/sles12sp5" = "registry.suse.com/suse/sles12sp5" "suse/sles12sp4" = "registry.suse.com/suse/sles12sp4" "suse/sles12sp3" = "registry.suse.com/suse/sles12sp3" "sle15" = "registry.suse.com/suse/sle15" "sles12sp5" = "registry.suse.com/suse/sles12sp5" "sles12sp4" = "registry.suse.com/suse/sles12sp4" "sles12sp3" = "registry.suse.com/suse/sles12sp3" # Red Hat Enterprise Linux "rhel" = "registry.access.redhat.com/rhel" "rhel6" = "registry.access.redhat.com/rhel6" "rhel7" = "registry.access.redhat.com/rhel7" "ubi7" = "registry.access.redhat.com/ubi7" "ubi7-init" = "registry.access.redhat.com/ubi7-init" "ubi7-minimal" = "registry.access.redhat.com/ubi7-minimal" "ubi8" = "registry.access.redhat.com/ubi8" "ubi8-minimal" = "registry.access.redhat.com/ubi8-minimal" "ubi8-init" = "registry.access.redhat.com/ubi8-init" # Debian "debian" = "docker.io/library/debian" [root@ip-192-168-114-198 ~]#
b. image pull
[root@ip-192-168-114-198 ~]# podman pull fedora Resolved short name "fedora" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf) Trying to pull registry.fedoraproject.org/fedora:latest... Getting image source signatures Copying blob 8fde7942e775 done Copying config 79fd58dc76 done Writing manifest to image destination Storing signatures 79fd58dc76113dac76a120f22cadecc3b2d1794b414f90ea368cf66096700053 [root@ip-192-168-114-198 ~]#
c. image 확인
[root@ip-192-168-114-198 ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.fedoraproject.org/fedora latest 79fd58dc7611 2 months ago 181 MB [root@ip-192-168-114-198 ~]#
d. container process 확인
[root@ip-192-168-114-198 ~]# podman ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1a005abd9ae8 registry.fedoraproject.org/fedora:latest /bin/bash About a minute ago Up About a minute ago fedora [root@ip-192-168-114-198 ~]#
e. container run
[root@ip-192-168-114-198 ~]# podman run -itd --security-opt=seccomp=unconfined --name fedora fedora /bin/bash 1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9 [root@ip-192-168-114-198 ~]#
f. container stop
[root@ip-192-168-114-198 ~]# podman stop fedora 1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9 [root@ip-192-168-114-198 ~]#
g. container rm
[root@ip-192-168-114-198 ~]# podman rm fedora 1a005abd9ae8f54fb3f1925d8f2d71c963d4780b0dc90deb59e673301ae888d9 [root@ip-192-168-114-198 ~]#
h. image rm
[root@ip-192-168-114-198 ~]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE registry.fedoraproject.org/fedora latest 79fd58dc7611 2 months ago 181 MB [root@ip-192-168-114-198 ~]# podman rmi 79fd58dc7611 Untagged: registry.fedoraproject.org/fedora:latest Deleted: 79fd58dc76113dac76a120f22cadecc3b2d1794b414f90ea368cf66096700053 [root@ip-192-168-114-198 ~]#
i. podman build step
[root@ip-192-168-114-198 ~]# cat Dockerfile FROM docker.io/ubuntu ENTRYPOINT echo "Podman build this container." [root@ip-192-168-114-198 ~]# podman build -t podmanbuilt . STEP 1: FROM docker.io/ubuntu Getting image source signatures Copying blob 14428a6d4bcd done Copying blob da7391352a9b [======================================] 27.2MiB / 27.2MiB Copying blob 2c2d948710f2 done Copying config f643c72bc2 done Writing manifest to image destination Storing signatures STEP 2: ENTRYPOINT echo "Podman build this container." STEP 3: COMMIT podmanbuilt --> 0989a71c8de 0989a71c8dee1650bac3b95ffe836d4a9dcc17f2f0bb17c91f4d47f54827aec5 [root@ip-192-168-114-198 ~]# podman run --rm --security-opt=seccomp=unconfined podmanbuilt Podman build this container. [root@ip-192-168-114-198 ~]#
위와 같이 Dockerfile을 작성하고 podman build를 수행하여 Container Process를 기동할 수 있다.
5. docker 호환성
[root@ip-192-168-114-198 ~]# podman save localhost/podmanbuilt -o podmanbuild.tar [root@ip-192-168-114-198 ~]# docker load -i podmanbuild.tar bacd3af13903: Loading layer [==================================================>] 75.27MB/75.27MB 9069f84dbbe9: Loading layer [==================================================>] 15.36kB/15.36kB f6253634dc78: Loading layer [==================================================>] 3.072kB/3.072kB Loaded image: localhost/podmanbuilt:latest [root@ip-192-168-114-198 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/podmanbuilt latest 0989a71c8dee 2 hours ago 72.9MB nara0617/hello-python latest c6b350e97471 12 days ago 55.2MB gcr.io/knative-samples/helloworld-go latest 7de72db4aca7 2 years ago 781MB [root@ip-192-168-114-198 ~]# docker run --rm localhost/podmanbuilt Podman build this container. [root@ip-192-168-114-198 ~]#
위와 같이 podman으로 생성한 이미지를 podman save > docker load > docker images > docker run 순으로 docker 이미지를 이관하여 기동이 정상적으로 되는 것을 확인할 수 있다.
위와 같이 podman은 docker에서 사용하던 cli 명령어를 그대로 사용할 수 있다. 특히 docker daemon 같은 runtime container가 없어도 자체적으로 이미지를 생성하고 기동할 수 있다는 장점이 있다.
Buildah : 컨테이너 빌드
buildah는 Docker Build 대신 Dockerfiles을 활용한 빌드 또는 다른 형식의 파일에서 컨테이너 이미지를 빌드하는 데 사용할 수 있다.
1. install
[root@ip-192-168-114-198 ~]# sudo yum -y install buildah Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd amzn2-core | 3.7 kB 00:00:00 1 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package buildah.x86_64 0:1.18.0-2.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================================================================ Package Arch Version Repository Size ================================================================================================================================================================================================ Installing: buildah x86_64 1.18.0-2.el7 devel_kubic_libcontainers_stable 13 M Transaction Summary ================================================================================================================================================================================================ Install 1 Package Total download size: 13 M Installed size: 34 M Downloading packages: buildah-1.18.0-2.el7.x86_64.rpm | 13 MB 00:00:07 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : buildah-1.18.0-2.el7.x86_64 1/1 Verifying : buildah-1.18.0-2.el7.x86_64 1/1 Installed: buildah.x86_64 0:1.18.0-2.el7 Complete! [root@ip-192-168-114-198 ~]#
2. help
[root@ip-192-168-114-198 ~]# buildah --help
A tool that facilitates building OCI images
Usage:
buildah [flags]
buildah [command]
Available Commands:
add Add content to the container
bud Build an image using instructions in a Dockerfile
commit Create an image from a working container
config Update image configuration settings
containers List working containers and their base images
copy Copy content into the container
from Create a working container based on an image
help Help about any command
images List images in local storage
info Display Buildah system information
inspect Inspect the configuration of a container or image
login Login to a container registry
logout Logout of a container registry
manifest Manipulate manifest lists and image indexes
mount Mount a working container's root filesystem
pull Pull an image from the specified location
push Push an image to a specified destination
rename Rename a container
rm Remove one or more working containers
rmi Remove one or more images from local storage
run Run a command inside of the container
tag Add an additional name to a local image
umount Unmount the root file system of the specified working containers
unshare Run a command in a modified user namespace
version Display the Buildah version information
Flags:
-h, --help help for buildah
--log-level string The log level to be used. Either "debug", "info", "warn" or "error". (default "warn")
--registries-conf string path to registries.conf file (not usually used)
--registries-conf-dir string path to registries.conf.d directory (not usually used)
--root string storage root dir (default "/var/lib/containers/storage")
--runroot string storage state dir (default "/var/run/containers/storage")
--storage-driver string storage-driver (default "overlay")
--storage-opt strings storage driver option
--userns-gid-map ctrID:hostID:length default ctrID:hostID:length GID mapping to use
--userns-uid-map ctrID:hostID:length default ctrID:hostID:length UID mapping to use
-v, --version version for buildah
Use "buildah [command] --help" for more information about a command.
[root@ip-192-168-114-198 ~]#3. TroubleShooting
a. error adding seccomp rule for syscall socket: requested action matches default action of filter
[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release ERRO[0000] container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" container_linux.go:349: starting container process caused "error adding seccomp rule for syscall socket: requested action matches default action of filter" error running container: error creating container for [/usr/bin/cat /etc/redhat-release]: : exit status 1 error while running runtime: exit status 1 [root@ip-192-168-114-198 ~]#
위와 같은 문제 발생시 yum update를 진행한 후 재 시도 한다.
[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release Fedora release 33 (Thirty Three) [root@ip-192-168-114-198 ~]#
4. buildah cli
a. buildah from
[root@ip-192-168-114-198 ~]# buildah from docker://docker.io/fedora Getting image source signatures Copying blob ae7b613df528 done Copying config b3048463dc done Writing manifest to image destination Storing signatures fedora-working-container [root@ip-192-168-114-198 ~]#
b. buildah container
[root@ip-192-168-114-198 ~]# buildah containers CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME 6ffb3cf4bd18 * b3048463dcef docker.io/library/fedora:latest fedora-working-container [root@ip-192-168-114-198 ~]#
c. buildah run
[root@ip-192-168-114-198 ~]# buildah run fedora-working-container cat /etc/redhat-release Fedora release 33 (Thirty Three) [root@ip-192-168-114-198 ~]#
d. buildah inspect
[root@ip-192-168-114-198 ~]# buildah inspect fedora-working-container
{
"Type": "buildah 0.0.1",
"FromImage": "docker.io/library/fedora:latest",
"FromImageID": "b3048463dcefbe4920ef2ae1af43171c9695e2077f315b2bc12ed0f6f67c86c7",
"FromImageDigest": "sha256:fdf235fa167d2aa5d820fba274ec1d2edeb0534bd32d28d602a19b31bad79b80",
"Config": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"DISTTAG=f33container\",\"FGC=f33\",\"FBR=f33\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"maintainer\":\"Clement Verna \\u003ccverna@fedoraproject.org\\u003e\"}},\"container\":\"50cf73b69958473ab2f9a10d3249df073c99b7767ec7f1ff5ffd56da4f35397b\",\"container_config\":{\"Hostname\":\"50cf73b69958\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\",\"DISTTAG=f33container\",\"FGC=f33\",\"FBR=f33\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) \",\"CMD [\\\"/bin/bash\\\"]\"],\"Image\":\"sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"maintainer\":\"Clement Verna \\u003ccverna@fedoraproject.org\\u003e\"}},\"created\":\"2020-11-12T00:25:31.334712859Z\",\"docker_version\":\"19.03.12\",\"history\":[{\"created\":\"2019-01-16T21:21:55.569693599Z\",\"created_by\":\"/bin/sh -c #(nop) LABEL maintainer=Clement Verna \\u003ccverna@fedoraproject.org\\u003e\",\"empty_layer\":true},{\"created\":\"2020-04-30T23:21:44.324893962Z\",\"created_by\":\"/bin/sh -c #(nop) ENV DISTTAG=f33container FGC=f33 FBR=f33\",\"empty_layer\":true},{\"created\":\"2020-11-12T00:25:30.976066436Z\",\"created_by\":\"/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / \"},{\"created\":\"2020-11-12T00:25:31.334712859Z\",\"created_by\":\"/bin/sh -c #(nop) CMD [\\\"/bin/bash\\\"]\",\"empty_layer\":true}],\"os\":\"linux\",\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb\"]}}",
"Manifest": "{\n \"schemaVersion\": 2,\n \"mediaType\": \"application/vnd.docker.distribution.manifest.v2+json\",\n \"config\": {\n \"mediaType\": \"application/vnd.docker.container.image.v1+json\",\n \"size\": 1997,\n \"digest\": \"sha256:b3048463dcefbe4920ef2ae1af43171c9695e2077f315b2bc12ed0f6f67c86c7\"\n },\n \"layers\": [\n {\n \"mediaType\": \"application/vnd.docker.image.rootfs.diff.tar.gzip\",\n \"size\": 63374419,\n \"digest\": \"sha256:ae7b613df528a37664448affa6e52ff405701cda015a2a67301423bc20226b61\"\n }\n ]\n}",
"Container": "fedora-working-container",
"ContainerID": "6ffb3cf4bd18652a1b4c9f75d550ef7a4c4385cc7617e3953d41793f3a57f13d",
"MountPoint": "",
"ProcessLabel": "",
"MountLabel": "",
"ImageAnnotations": null,
"ImageCreatedBy": "",
"OCIv1": {
"created": "2020-11-12T00:25:31.334712859Z",
"architecture": "amd64",
"os": "linux",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"DISTTAG=f33container",
"FGC=f33",
"FBR=f33"
],
"Cmd": [
"/bin/bash"
],
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
}
},
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb"
]
},
"history": [
{
"created": "2019-01-16T21:21:55.569693599Z",
"created_by": "/bin/sh -c #(nop) LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
"empty_layer": true
},
{
"created": "2020-04-30T23:21:44.324893962Z",
"created_by": "/bin/sh -c #(nop) ENV DISTTAG=f33container FGC=f33 FBR=f33",
"empty_layer": true
},
{
"created": "2020-11-12T00:25:30.976066436Z",
"created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
},
{
"created": "2020-11-12T00:25:31.334712859Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
]
},
"Docker": {
"created": "2020-11-12T00:25:31.334712859Z",
"container": "50cf73b69958473ab2f9a10d3249df073c99b7767ec7f1ff5ffd56da4f35397b",
"container_config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"DISTTAG=f33container",
"FGC=f33",
"FBR=f33"
],
"Cmd": [
"/bin/bash"
],
"Image": "sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": [],
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
}
},
"config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"DISTTAG=f33container",
"FGC=f33",
"FBR=f33"
],
"Cmd": [
"/bin/bash"
],
"Image": "sha256:3b1b0c55a47e10ea93d904fc20c39d253f9e1ad770922e8fb4af93dcec6691ce",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": [],
"Labels": {
"maintainer": "Clement Verna <cverna@fedoraproject.org>"
}
},
"architecture": "amd64",
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:ed0c36ccfcbe08498869bb435711b2657b593806792e29582fa90f43d87b2dfb"
]
},
"history": [
{
"created": "2019-01-16T21:21:55.569693599Z",
"created_by": "/bin/sh -c #(nop) LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
"empty_layer": true
},
{
"created": "2020-04-30T23:21:44.324893962Z",
"created_by": "/bin/sh -c #(nop) ENV DISTTAG=f33container FGC=f33 FBR=f33",
"empty_layer": true
},
{
"created": "2020-11-12T00:25:30.976066436Z",
"created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
},
{
"created": "2020-11-12T00:25:31.334712859Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
]
},
"DefaultMountsFilePath": "",
"Isolation": "IsolationOCI",
"NamespaceOptions": [
{
"Name": "cgroup",
"Host": true,
"Path": ""
},
{
"Name": "ipc",
"Host": false,
"Path": ""
},
{
"Name": "mount",
"Host": false,
"Path": ""
},
{
"Name": "network",
"Host": true,
"Path": ""
},
{
"Name": "pid",
"Host": false,
"Path": ""
},
{
"Name": "user",
"Host": true,
"Path": ""
},
{
"Name": "uts",
"Host": false,
"Path": ""
}
],
"Capabilities": [
"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FOWNER",
"CAP_FSETID",
"CAP_KILL",
"CAP_NET_BIND_SERVICE",
"CAP_SETFCAP",
"CAP_SETGID",
"CAP_SETPCAP",
"CAP_SETUID",
"CAP_SYS_CHROOT"
],
"ConfigureNetwork": "NetworkDefault",
"CNIPluginPath": "/usr/libexec/cni:/opt/cni/bin",
"CNIConfigDir": "/etc/cni/net.d",
"IDMappingOptions": {
"HostUIDMapping": true,
"HostGIDMapping": true,
"UIDMap": [],
"GIDMap": []
},
"History": [
{
"created": "2019-01-16T21:21:55.569693599Z",
"created_by": "/bin/sh -c #(nop) LABEL maintainer=Clement Verna <cverna@fedoraproject.org>",
"empty_layer": true
},
{
"created": "2020-04-30T23:21:44.324893962Z",
"created_by": "/bin/sh -c #(nop) ENV DISTTAG=f33container FGC=f33 FBR=f33",
"empty_layer": true
},
{
"created": "2020-11-12T00:25:30.976066436Z",
"created_by": "/bin/sh -c #(nop) ADD file:240dde03c4d9f0ad759f8d1291fb45ab2745b6a108c6164d746766239d3420ab in / "
},
{
"created": "2020-11-12T00:25:31.334712859Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/bash\"]",
"empty_layer": true
}
],
"Devices": []
}5. docker & podman 호환성
[root@ip-192-168-114-198 ~]# buildah commit fedora-working-container fedora-working-container Getting image source signatures Copying blob ed0c36ccfcbe skipped: already exists Copying blob f944408e588c done Copying config 245f01352d done Writing manifest to image destination Storing signatures 245f01352d01fe13ef5b13525964bfbb3934e1ca8abafc15a1ab9fc6e1544618 [root@ip-192-168-114-198 ~]# buildah images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/fedora-working-container latest 245f01352d01 6 seconds ago 181 MB localhost/podmanbuilt latest 0989a71c8dee 2 hours ago 75.3 MB docker.io/library/ubuntu latest f643c72bc252 4 weeks ago 75.3 MB docker.io/library/fedora latest b3048463dcef 6 weeks ago 181 MB [root@ip-192-168-114-198 ~]# podman run localhost/fedora-working-container:latest cat /etc/redhat-release Fedora release 33 (Thirty Three) [root@ip-192-168-114-198 ~]# podman save localhost/fedora-working-container -o fedora-working-container.tar [root@ip-192-168-114-198 ~]# docker load -i fedora-working-container.tar ed0c36ccfcbe: Loading layer [==================================================>] 181.1MB/181.1MB f944408e588c: Loading layer [==================================================>] 2.56kB/2.56kB Loaded image: localhost/fedora-working-container:latest [root@ip-192-168-114-198 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/fedora-working-container latest 245f01352d01 2 minutes ago 175MB localhost/podmanbuilt latest 0989a71c8dee 2 hours ago 72.9MB nara0617/hello-python latest c6b350e97471 12 days ago 55.2MB gcr.io/knative-samples/helloworld-go latest 7de72db4aca7 2 years ago 781MB [root@ip-192-168-114-198 ~]# docker run localhost/fedora-working-container:latest cat /etc/redhat-release Fedora release 33 (Thirty Three) [root@ip-192-168-114-198 ~]#
buildah로 생성한 container는 buildah commit으로 이미지를 생성할 수 있다. 생성된 이미지는 podman run으로 기동할 수 있으며, docker 이관 방법은 위 podman 파트에서 살펴보았다.
buildah & podman & docker 모두에서 동일한 /etc/redhat-release 값을 확인할 수 있다.
Buildah와 Podman을 활용하여 이미지를 생성하고 push하는 과정을 CLI로 처리한다면 다음과 같은 형태가 될 수 있을 것이다.
[root@ip-192-168-114-198 ~]# podman login -u $ID -p $PW docker.io Login Succeeded! [root@ip-192-168-114-198 ~]# cat Dockerfile FROM docker.io/ubuntu ENTRYPOINT echo "Podman build this container." [root@ip-192-168-114-198 ~]# buildah bud -t nara0617/ubuntuecho:latest . STEP 1: FROM docker.io/ubuntu STEP 2: ENTRYPOINT echo "Podman build this container." STEP 3: COMMIT nara0617/ubuntuecho:latest Getting image source signatures Copying blob bacd3af13903 skipped: already exists Copying blob 9069f84dbbe9 skipped: already exists Copying blob f6253634dc78 skipped: already exists Copying blob 5f70bf18a086 done Copying config a65de8136d done Writing manifest to image destination Storing signatures --> a65de8136db a65de8136db3de0892196a5cfbe2d4afe6fd26daf95c78eca1a9a3f31d0c340e [root@ip-192-168-114-198 ~]# buildah push nara0617/ubuntuecho:latest docker://nara0617/ubuntuecho:latest Getting image source signatures Copying blob 5f70bf18a086 done Copying blob bacd3af13903 skipped: already exists Copying blob 9069f84dbbe9 skipped: already exists Copying blob f6253634dc78 skipped: already exists Copying config a65de8136d done Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 ~]# podman logout docker.io Removed login credentials for docker.io [root@ip-192-168-114-198 ~]#
위 내용을 CI/CD Pipeline의 Stage로 관리한다면 아래와 같이 작성해 볼 수 있을 것이다.
stage('Images Build') {
steps {
script {
sh "podman version ; buildah version"
sh "podman login -u $DOCKERHUB_ID -p $DOCKERHUB_PW docker.io "
sh "buildah bud -t nara0617/ubuntuecho:latest ."
sh "buildah push nara0617/ubuntuecho:latest docker://nara0617/ubuntuecho:latest"
sh "podman logout docker.io"
}
}
}위와 같이 buildah는 이미지 빌드를 지원하며, podman과 호환되어 동일한 리포지토리 공간을 사용한다. buildah를 통해 이미지를 빌드하고, 생성하여, podman으로 이미지를 관리하고 기동하는 형태로 활용할 수 있다.
Skopeo : 컨테이너 관리
Skopeo는 컨테이너 이미지 레지스트리에서 이미지를 검사하고, 이미지와 이미지 레이어를 가져오고, 서명을 사용하여 이미지를 만들고 확인할 수 있다.
일반적으로 클라우드 환경 또는 전통적인 Legacy 환경 모두 개발/테스트/운영 환경을 물리적으로 구분하여 관리한다. 모든 환경은 CI/CD 프로세스를 구축하여 소스커밋부터 운영환경 배포까지 모든 애플리케이션 수명주기를 관리해야한다.
이때 CI/CD 프로세스는 각 환경별로 목표(예를 들어 개발환경은 소스 빌드 성공, 테스트 커버리지 달성, 테스트 환경은 도커 이미지 기동 테스트, 테스트 환경 릴리즈, 운영 환경은 운영 배포 및 롤링 업데이트 등)를 달성하면, 각 환경에서 다음 환경으로 배포 주체를 이관하게 된다.
클라우드 환경 특히 컨테이너 환경을 사용할 경우에는 그 대상이 컨테이너 이미지가 될 수 있다. (Legacy 환경은 war 파일 또는 소스 코드 자체가 될 수 있다.) 컨테이너 이미지는 Layer로 구성되며 패키징되어 이미지 레지스트리에 저장된다. 이때 이미지 레지스트리는 Public 공간의 DockerHub, ECR, ACR 등이 될 수도 있고, Private 공간의 Nexus, Harbor 등이 될수도 있다. 특히 멀티 클라우드/하이브리드 클라우드 환경을 사용할 경우에는 두개 이상의 서로 다른 클라우드 환경 간에 이미지를 공유하고 전송해야 하는 경우도 발생할 수 있다.
이 모든 경우를 포함하여 OCI(Open Container Initiative) 규칙을 준수하여 이미지를 생성, 저장 또는 실행하는 경우 Buildah를 사용하여 이미지를 빌드하든, CRI-O를 사용하여 Kubernetes 클러스터에서 실행하든, Docker로 실행하든 OCI 표준 컨테이너 이미지는 이러한 모든 도구간에 공유 할 수 있음을 강제하게 된다.
1. install
[root@ip-192-168-114-198 ~]# sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_7/devel:kubic:libcontainers:stable.repo
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 359 100 359 0 0 234 0 0:00:01 0:00:01 --:--:-- 234
[root@ip-192-168-114-198 ~]# sudo yum -y install skopeo
Loaded plugins: copr, extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
devel_kubic_libcontainers_stable | 1.3 kB 00:00:00
1 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package skopeo.x86_64 2:1.2.0-15.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================================================================================================
Package Arch Version Repository Size
================================================================================================================================================================================================
Installing:
skopeo x86_64 2:1.2.0-15.el7 devel_kubic_libcontainers_stable 11 M
Transaction Summary
================================================================================================================================================================================================
Install 1 Package
Total download size: 11 M
Installed size: 29 M
Downloading packages:
skopeo-1.2.0-15.el7.x86_64.rpm | 11 MB 00:00:06
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:skopeo-1.2.0-15.el7.x86_64 1/1
Verifying : 2:skopeo-1.2.0-15.el7.x86_64 1/1
Installed:
skopeo.x86_64 2:1.2.0-15.el7
Complete!
[root@ip-192-168-114-198 ~]#2. help
[root@ip-192-168-114-198 ~]# skopeo --help
Various operations with container images and container image registries
Usage:
skopeo [command]
Available Commands:
copy Copy an IMAGE-NAME from one location to another
delete Delete image IMAGE-NAME
help Help about any command
inspect Inspect image IMAGE-NAME
list-tags List tags in the transport/repository specified by the REPOSITORY-NAME
login Login to a container registry
logout Logout of a container registry
manifest-digest Compute a manifest digest of a file
standalone-sign Create a signature using local files
standalone-verify Verify a signature using local files
sync Synchronize one or more images from one location to another
Flags:
--command-timeout duration timeout for the command execution
--debug enable debug output
-h, --help help for skopeo
--insecure-policy run the tool without any policy check
--override-arch ARCH use ARCH instead of the architecture of the machine for choosing images
--override-os OS use OS instead of the running OS for choosing images
--override-variant VARIANT use VARIANT instead of the running architecture variant for choosing images
--policy string Path to a trust policy file
--registries.d DIR use registry configuration files in DIR (e.g. for container signature storage)
--tmpdir string directory used to store temporary files
-v, --version Version for Skopeo
Use "skopeo [command] --help" for more information about a command.
[root@ip-192-168-114-198 ~]#3. skopeo cli
a. skopeo inspect
[root@ip-192-168-114-198 ~]# skopeo inspect docker://docker.io/library/mariadb
{
"Name": "docker.io/library/mariadb",
"Digest": "sha256:cdc553f0515a8d41264f0855120874e86761f7c69407b5cfbe49283dc195bea8",
"RepoTags": [
"10-bionic",
"10-focal",
"10-jessie",
"10.0-jessie",
"10.0-xenial",
"10.0.15",
"10.0.16",
"10.0.17",
"10.0.19",
"10.0.20",
"10.0.21",
"10.0.22",
"10.0.23",
"10.0.24",
"10.0.25",
"10.0.26",
"10.0.27",
"10.0.28",
"10.0.29",
"10.0.30",
"10.0.31",
"10.0.32",
"10.0.33",
"10.0.34",
"10.0.35-jessie",
"10.0.35-xenial",
"10.0.35",
"10.0.36-xenial",
"10.0.36",
"10.0.37-xenial",
"10.0.37",
"10.0.38-xenial",
"10.0.38",
"10.0",
"10.1-bionic",
"10.1-jessie",
"10.1.1",
"10.1.10",
"10.1.11",
"10.1.12",
"10.1.13",
"10.1.14",
"10.1.15",
"10.1.16",
"10.1.17",
"10.1.18",
"10.1.19",
"10.1.2",
"10.1.20",
"10.1.21",
"10.1.22",
"10.1.23",
"10.1.24",
"10.1.25",
"10.1.26",
"10.1.28",
"10.1.29",
"10.1.3",
"10.1.30",
"10.1.31",
"10.1.32",
"10.1.33",
"10.1.34-bionic",
"10.1.34-jessie",
"10.1.34",
"10.1.35-bionic",
"10.1.35",
"10.1.36-bionic",
"10.1.36",
"10.1.37-bionic",
"10.1.37",
"10.1.38-bionic",
"10.1.38",
"10.1.39-bionic",
"10.1.39",
"10.1.40-bionic",
"10.1.40",
"10.1.41-bionic",
"10.1.41",
"10.1.43-bionic",
"10.1.43",
"10.1.44-bionic",
"10.1.44",
"10.1.45-bionic",
"10.1.45",
"10.1.46-bionic",
"10.1.46",
"10.1.47-bionic",
"10.1.47",
"10.1.48-bionic",
"10.1.48",
"10.1",
"10.2-bionic",
"10.2-jessie",
"10.2.10",
"10.2.11",
"10.2.12",
"10.2.13",
"10.2.14",
"10.2.15",
"10.2.16-bionic",
"10.2.16-jessie",
"10.2.16",
"10.2.17-bionic",
"10.2.17",
"10.2.18-bionic",
"10.2.18",
"10.2.19-bionic",
"10.2.19",
"10.2.20-bionic",
"10.2.20",
"10.2.21-bionic",
"10.2.21",
"10.2.22-bionic",
"10.2.22",
"10.2.23-bionic",
"10.2.23",
"10.2.24-bionic",
"10.2.24",
"10.2.25-bionic",
"10.2.25",
"10.2.26-bionic",
"10.2.26",
"10.2.27-bionic",
"10.2.27",
"10.2.29-bionic",
"10.2.29",
"10.2.30-bionic",
"10.2.30",
"10.2.31-bionic",
"10.2.31",
"10.2.32-bionic",
"10.2.32",
"10.2.33-bionic",
"10.2.33",
"10.2.34-bionic",
"10.2.34",
"10.2.35-bionic",
"10.2.35",
"10.2.36-bionic",
"10.2.36",
"10.2.5",
"10.2.6",
"10.2.7",
"10.2.8",
"10.2.9",
"10.2",
"10.3-bionic",
"10.3-focal",
"10.3-jessie",
"10.3.0",
"10.3.1",
"10.3.10-bionic",
"10.3.10",
"10.3.11-bionic",
"10.3.11",
"10.3.12-bionic",
"10.3.12",
"10.3.13-bionic",
"10.3.13",
"10.3.14-bionic",
"10.3.14",
"10.3.15-bionic",
"10.3.15",
"10.3.16-bionic",
"10.3.16",
"10.3.17-bionic",
"10.3.17",
"10.3.18-bionic",
"10.3.18",
"10.3.2",
"10.3.20-bionic",
"10.3.20",
"10.3.21-bionic",
"10.3.21",
"10.3.22-bionic",
"10.3.22",
"10.3.23-bionic",
"10.3.23-focal",
"10.3.23",
"10.3.24-focal",
"10.3.24",
"10.3.25-focal",
"10.3.25",
"10.3.26-focal",
"10.3.26",
"10.3.27-focal",
"10.3.27",
"10.3.3",
"10.3.4",
"10.3.5",
"10.3.6",
"10.3.7",
"10.3.8-bionic",
"10.3.8-jessie",
"10.3.8",
"10.3.9-bionic",
"10.3.9",
"10.3",
"10.4-bionic",
"10.4-focal",
"10.4.0-bionic",
"10.4.0",
"10.4.1-bionic",
"10.4.1",
"10.4.10-bionic",
"10.4.10",
"10.4.11-bionic",
"10.4.11",
"10.4.12-bionic",
"10.4.12",
"10.4.13-bionic",
"10.4.13-focal",
"10.4.13",
"10.4.14-focal",
"10.4.14",
"10.4.15-focal",
"10.4.15",
"10.4.16-focal",
"10.4.16",
"10.4.17-focal",
"10.4.17",
"10.4.2-bionic",
"10.4.2",
"10.4.3-bionic",
"10.4.3",
"10.4.4-bionic",
"10.4.4",
"10.4.5-bionic",
"10.4.5",
"10.4.6-bionic",
"10.4.6",
"10.4.7-bionic",
"10.4.7",
"10.4.8-bionic",
"10.4.8",
"10.4",
"10.5-bionic",
"10.5-focal",
"10.5.1-bionic",
"10.5.1",
"10.5.2-bionic",
"10.5.2",
"10.5.3-bionic",
"10.5.3-focal",
"10.5.3",
"10.5.4-focal",
"10.5.4",
"10.5.5-focal",
"10.5.5",
"10.5.6-focal",
"10.5.6",
"10.5.7-focal",
"10.5.7",
"10.5.8-focal",
"10.5.8",
"10.5",
"10",
"5-trusty",
"5-wheezy",
"5.5-trusty",
"5.5-wheezy",
"5.5.40",
"5.5.41",
"5.5.42",
"5.5.43",
"5.5.44",
"5.5.45",
"5.5.46",
"5.5.47",
"5.5.48",
"5.5.49",
"5.5.50",
"5.5.51",
"5.5.52",
"5.5.53",
"5.5.54",
"5.5.55",
"5.5.56",
"5.5.57",
"5.5.58",
"5.5.59",
"5.5.60-trusty",
"5.5.60-wheezy",
"5.5.60",
"5.5.61-trusty",
"5.5.61",
"5.5.62-trusty",
"5.5.62",
"5.5.63-trusty",
"5.5.63",
"5.5.64-trusty",
"5.5.64",
"5.5",
"5",
"beta-bionic",
"beta",
"bionic",
"focal",
"jessie",
"latest",
"rc-bionic",
"rc-focal",
"rc"
],
"Created": "2020-11-25T23:18:42.200902166Z",
"DockerVersion": "19.03.12",
"Labels": null,
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8",
"sha256:14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d",
"sha256:2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601",
"sha256:22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948",
"sha256:90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82",
"sha256:f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539",
"sha256:e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b",
"sha256:420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a",
"sha256:bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371",
"sha256:a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc",
"sha256:4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237",
"sha256:a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"GOSU_VERSION=1.12",
"GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8",
"MARIADB_MAJOR=10.5",
"MARIADB_VERSION=1:10.5.8+maria~focal"
]
}
[root@ip-192-168-114-198 ~]#b. skopeo copy
[root@ip-192-168-114-198 ~]# skopeo copy docker://docker.io/library/mariadb dir:/root/mariadb Getting image source signatures Copying blob da7391352a9b done Copying blob 14428a6d4bcd done Copying blob 2c2d948710f2 done Copying blob 22776aa82430 done Copying blob 90e64230d63d done Copying blob f30861f14a10 done Copying blob e8e9e6a3da24 done Copying blob 420a23f08c41 done Copying blob bd73f23de482 done Copying blob a8690a3260b7 done Copying blob 4202ba90333a done Copying blob a33f860b4aa6 done Copying config 3a348a04a8 done Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 ~]# ls -la mariadb/ total 122700 drwxr-xr-x 2 root root 4096 Dec 29 05:48 . dr-xr-x--- 15 root root 4096 Dec 29 05:48 .. -rw-r--r-- 1 root root 847 Dec 29 05:48 14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d -rw-r--r-- 1 root root 1752 Dec 29 05:48 22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948 -rw-r--r-- 1 root root 162 Dec 29 05:48 2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601 -rw-r--r-- 1 root root 9043 Dec 29 05:48 3a348a04a8159339ed3ca053ea925f854252e6a6c3df6fa82c17625d1026f18b -rw-r--r-- 1 root root 88930464 Dec 29 05:48 4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237 -rw-r--r-- 1 root root 1267437 Dec 29 05:48 420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a -rw-r--r-- 1 root root 5488627 Dec 29 05:48 90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82 -rw-r--r-- 1 root root 4919 Dec 29 05:48 a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910 -rw-r--r-- 1 root root 329 Dec 29 05:48 a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc -rw-r--r-- 1 root root 2489 Dec 29 05:48 bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371 -rw-r--r-- 1 root root 28563271 Dec 29 05:48 da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8 -rw-r--r-- 1 root root 115 Dec 29 05:48 e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b -rw-r--r-- 1 root root 1324655 Dec 29 05:48 f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539 -rw-r--r-- 1 root root 2826 Dec 29 05:48 manifest.json -rw-r--r-- 1 root root 33 Dec 29 05:48 version [root@ip-192-168-114-198 ~]#
c. skopeo layers
[root@ip-192-168-114-198 ~]# skopeo layers docker://docker.io/library/mariadb DEPRECATED: skopeo layers is deprecated in favor of skopeo copy [root@ip-192-168-114-198 ~]# ls -la layers-069532309/ total 122700 drwx------ 2 root root 4096 Dec 29 05:51 . dr-xr-x--- 16 root root 4096 Dec 29 05:50 .. -rw-r--r-- 1 root root 847 Dec 29 05:50 14428a6d4bcdba49a64127900a0691fb00a3f329aced25eb77e3b65646638f8d -rw-r--r-- 1 root root 1752 Dec 29 05:51 22776aa82430af24b71cc0294b9c2bddd7c9f4a0213d13967e3bccc4f1296948 -rw-r--r-- 1 root root 162 Dec 29 05:50 2c2d948710f21ad82dce71743b1654b45acb5c059cf5c19da491582cef6f2601 -rw-r--r-- 1 root root 9043 Dec 29 05:51 3a348a04a8159339ed3ca053ea925f854252e6a6c3df6fa82c17625d1026f18b -rw-r--r-- 1 root root 88930464 Dec 29 05:51 4202ba90333a4d33b3cdeeefcac43e219ea015f484b4b92e14f865621128e237 -rw-r--r-- 1 root root 1267437 Dec 29 05:51 420a23f08c4147516e0f33d70c17c7f4d7a1e1ae4db8deb2a6a703f2c565483a -rw-r--r-- 1 root root 5488627 Dec 29 05:51 90e64230d63d996dc81a927a75ec71730d7bb1ece4e43d64d6f2b830dab4bc82 -rw-r--r-- 1 root root 4919 Dec 29 05:51 a33f860b4aa6bf9c5c6f3949001e39c976ac2eddf08295ab842bdc34114ac910 -rw-r--r-- 1 root root 329 Dec 29 05:51 a8690a3260b734a0e2fe29912f283112edfc4aa22a31bf7282282726e993a8cc -rw-r--r-- 1 root root 2489 Dec 29 05:51 bd73f23de4821d5ddc74bdc29ed54ccafac21587e18baf11431413d7906c4371 -rw-r--r-- 1 root root 28563271 Dec 29 05:50 da7391352a9bb76b292a568c066aa4c3cbae8d494e6a3c68e3c596d34f7c75f8 -rw-r--r-- 1 root root 115 Dec 29 05:51 e8e9e6a3da2446ca697e0ccb0d7c44012e8573d4eb708b36f11a876657970d7b -rw-r--r-- 1 root root 1324655 Dec 29 05:51 f30861f14a103eb6617d70c0b3ddb21d08ac133ed9d4e073f16e6b17a089d539 -rw-r--r-- 1 root root 765 Dec 29 05:51 manifest.json -rw-r--r-- 1 root root 33 Dec 29 05:50 version [root@ip-192-168-114-198 ~]#
4. 활용
이미지를 검사하고 전송할 때 SKOPEO를 적용하여 유용하게 활용할 수 있다. SKOPEO는 OCI 이미지를 저장할 수있는 모든 위치에서 컨테이너 이미지를 검사한다. 컨테이너 이미지를 한 위치에서 다른 위치로 복사 할 수도 있다.
핵심이 되는 skopeo copy는 다음과 같이 활용할 수 있다.
[root@ip-192-168-114-198 ~]# skopeo copy --help
Container "IMAGE-NAME" uses a "transport":"details" format.
Supported transports:
containers-storage, dir, docker, docker-archive, docker-daemon, oci, oci-archive, ostree, tarball
See skopeo(1) section "IMAGE NAMES" for the expected format
Usage:
skopeo copy [command options] SOURCE-IMAGE DESTINATION-IMAGE
Examples:
skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
Flags:
--additional-tag strings additional tags (supports docker-archive)
-a, --all Copy all images if SOURCE-IMAGE is a list
--authfile string path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
--decryption-key strings *Experimental* key needed to decrypt the image
--dest-authfile string path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
--dest-cert-dir PATH use certificates at PATH (*.crt, *.cert, *.key) to connect to the registry or daemon
--dest-compress Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)
--dest-compress-format FORMAT FORMAT to use for the compression
--dest-compress-level LEVEL LEVEL to use for the compression
--dest-creds USERNAME[:PASSWORD] Use USERNAME[:PASSWORD] for accessing the registry
--dest-daemon-host HOST use docker daemon host at HOST (docker-daemon: only)
--dest-no-creds Access the registry anonymously
--dest-oci-accept-uncompressed-layers Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)
--dest-registry-token string Provide a Bearer token for accessing the registry
--dest-shared-blob-dir DIRECTORY DIRECTORY to use to share blobs across OCI repositories
--dest-tls-verify require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true) (default )
--encrypt-layer ints *Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)
--encryption-key strings *Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)
-f, --format string MANIFEST TYPE (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
-h, --help help for copy
-q, --quiet Suppress output information when copying images
--remove-signatures Do not copy signatures from SOURCE-IMAGE
--retry-times int the number of times to possibly retry
--sign-by FINGERPRINT Sign the image using a GPG key with the specified FINGERPRINT
--src-authfile string path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json
--src-cert-dir PATH use certificates at PATH (*.crt, *.cert, *.key) to connect to the registry or daemon
--src-creds USERNAME[:PASSWORD] Use USERNAME[:PASSWORD] for accessing the registry
--src-daemon-host HOST use docker daemon host at HOST (docker-daemon: only)
--src-no-creds Access the registry anonymously
--src-registry-token string Provide a Bearer token for accessing the registry
--src-shared-blob-dir DIRECTORY DIRECTORY to use to share blobs across OCI repositories
--src-tls-verify require HTTPS and verify certificates when talking to the container registry or daemon (defaults to true) (default )
[root@ip-192-168-114-198 ~]#로컬 도커 repository에서 DockerHub로 이미지를 복사하려는 경우 다음과 같이 간단하게 처리할 수 있다.
[root@ip-192-168-114-198 ~]# skopeo login docker.io Username: nara0617 Password: Login Succeeded! [root@ip-192-168-114-198 ~]# skopeo copy docker-daemon:localhost/podmanbuilt:latest docker://nara0617/myimage:1.0.0 Getting image source signatures Copying blob 9069f84dbbe9 done Copying blob bacd3af13903 done Copying blob f6253634dc78 done Copying config 0989a71c8d done Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 ~]#
위와 같이 처리할 경우 docker tag, docker push가 한번에 처리되는 것을 알 수 있다.
[root@ip-192-168-114-198 ~]# docker rmi localhost/podmanbuilt Untagged: localhost/podmanbuilt:latest Deleted: sha256:0989a71c8dee1650bac3b95ffe836d4a9dcc17f2f0bb17c91f4d47f54827aec5 Deleted: sha256:9386795d450ce06c6819c8bc5eff8daa71d47ccb9f9fb8d49fe1ccfb5fb3edbe Deleted: sha256:3779241fda7b1caf03964626c3503e930f2f19a5ffaba6f4b4ad21fd38df3b6b Deleted: sha256:bacd3af13903e13a43fe87b6944acd1ff21024132aad6e74b4452d984fb1a99a [root@ip-192-168-114-198 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/fedora-working-container latest 245f01352d01 18 hours ago 175MB nara0617/hello-python latest c6b350e97471 13 days ago 55.2MB fedora latest b3048463dcef 6 weeks ago 175MB gcr.io/knative-samples/helloworld-go latest 7de72db4aca7 2 years ago 781MB [root@ip-192-168-114-198 ~]# skopeo copy docker://nara0617/myimage:1.0.0 docker-daemon:localhost/podmanbuilt:latest Getting image source signatures Copying blob f6291d888731 done Copying blob 9e0775ca9a2f done Copying blob 247a9afb7564 [======================================] 173.0b / 173.0b Copying config 0989a71c8d done Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 ~]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/fedora-working-container latest 245f01352d01 18 hours ago 175MB localhost/podmanbuilt latest 0989a71c8dee 20 hours ago 72.9MB nara0617/hello-python latest c6b350e97471 13 days ago 55.2MB fedora latest b3048463dcef 6 weeks ago 175MB gcr.io/knative-samples/helloworld-go latest 7de72db4aca7 2 years ago 781MB [root@ip-192-168-114-198 ~]#
반대로 위와 같이 local repository로도 가져올 수 있다.
[root@ip-192-168-114-198 ~]# skopeo copy docker://nara0617/myimage:1.0.0 docker://nara0617/myimage:1.0.1 Getting image source signatures Copying blob f6291d888731 skipped: already exists Copying blob 247a9afb7564 skipped: already exists Copying blob 9e0775ca9a2f [--------------------------------------] 0.0b / 0.0b Copying config 0989a71c8d [--------------------------------------] 0.0b / 2.6KiB Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 ~]#
Docker Repository 간의 이동 역시 한번의 명령으로 손쉽게 처리할 수 있다.
이를 CI Pipeline에 녹인다면 다음과 같이 Stage를 처리할 수 있다.
stage('Promote Images') {
steps {
script {
sh "skopeo login docker.io -u $DOCKERHUB_ID -p $DOCKERHUB_PW"
sh "skopeo copy docker://${srcApplicationRef} docker://${destApplicationRef}"
}
}
}skopeo는 container 이미지를 검사하고 레지스트리로부터 pull & push를 수행하는 컨테이너 관리자 역할을 할 수 있다. inspect로 container의 구성을 진단하고, copy & layers는 기존 pull > tag > push를 간략화한 방식이라고 볼 수 있다.
이를 활용하여 다양한 컨테이너 이미지 관리 환경 간에 Promotion을 진행하여 관리할 수 있다.
Fully Work Flow
지금까지 살펴본 전체 각 역할별 처리를 기반으로 CI/CD 프로세스에 적용한다면 다음과 같은 PIPELINE을 구성할 수 있을 것이다.
총 8개의 Step으로 진행되며, 각 스텝에 대해 상세히 다시한번 검토해 보도록 하자.
1. Pull CentOS Image
(podman pull IMAGE_NAME > skopeo inspect IMAGE_NAME > podman images)
[root@ip-192-168-114-198 ~]# podman pull centos
Resolved short name "centos" to a recorded short-name alias (origin: /etc/containers/registries.conf.d/shortnames.conf)
Trying to pull registry.centos.org/centos:latest...
Getting image source signatures
Copying blob 926a85fb4806 done
Copying config 2f3766df23 done
Writing manifest to image destination
Storing signatures
2f3766df23b6b238987b29a0cec50a9974f97948ea2e6569035d374289ca2da2
[root@ip-192-168-114-198 ~]# skopeo inspect docker://centos
{
"Name": "docker.io/library/centos",
"Digest": "sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1",
"RepoTags": [
"5.11",
"5",
"6.10",
"6.6",
"6.7",
"6.8",
"6.9",
"6",
"7.0.1406",
"7.1.1503",
"7.2.1511",
"7.3.1611",
"7.4.1708",
"7.5.1804",
"7.6.1810",
"7.7.1908",
"7.8.2003",
"7.9.2009",
"7",
"8.1.1911",
"8.2.2004",
"8.3.2011",
"8",
"centos5.11",
"centos5",
"centos6.10",
"centos6.6",
"centos6.7",
"centos6.8",
"centos6.9",
"centos6",
"centos7.0.1406",
"centos7.1.1503",
"centos7.2.1511",
"centos7.3.1611",
"centos7.4.1708",
"centos7.5.1804",
"centos7.6.1810",
"centos7.7.1908",
"centos7.8.2003",
"centos7.9.2009",
"centos7",
"centos8.1.1911",
"centos8.2.2004",
"centos8.3.2011",
"centos8",
"latest"
],
"Created": "2020-12-08T00:22:53.076477777Z",
"DockerVersion": "19.03.12",
"Labels": {
"org.label-schema.build-date": "20201204",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:7a0437f04f83f084b7ed68ad9c4a4947e12fc4e1b006b38129bac89114ec3621"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
]
}
[root@ip-192-168-114-198 ~]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.centos.org/centos latest 2f3766df23b6 2 weeks ago 217 MB
[root@ip-192-168-114-198 ~]# 이미지는 podman을 활용하여 가져오고, 이를 skopeo로 inspect를 진행한다.
[root@ip-192-168-114-198 ~]# docker pull centos
Using default tag: latest
latest: Pulling from library/centos
7a0437f04f83: Pull complete
Digest: sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1
Status: Downloaded newer image for centos:latest
docker.io/library/centos:latest
[root@ip-192-168-114-198 ~]# docker inspect centos
[
{
"Id": "sha256:300e315adb2f96afe5f0b2780b87f28ae95231fe3bdd1e16b9ba606307728f55",
"RepoTags": [
"centos:latest"
],
"RepoDigests": [
"centos@sha256:5528e8b1b1719d34604c87e11dcd1c0a20bedf46e83b5632cdeac91b8c04efc1"
],
"Parent": "",
"Comment": "",
"Created": "2020-12-08T00:22:53.076477777Z",
"Container": "395e0bfa7301f73bc994efe15099ea56b8836c608dd32614ac5ae279976d33e4",
"ContainerConfig": {
"Hostname": "395e0bfa7301",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"CMD [\"/bin/bash\"]"
],
"Image": "sha256:6de05bdfbf9a9d403458d10de9e088b6d93d971dd5d48d18b4b6758f4554f451",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"org.label-schema.build-date": "20201204",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
}
},
"DockerVersion": "19.03.12",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/bash"
],
"Image": "sha256:6de05bdfbf9a9d403458d10de9e088b6d93d971dd5d48d18b4b6758f4554f451",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {
"org.label-schema.build-date": "20201204",
"org.label-schema.license": "GPLv2",
"org.label-schema.name": "CentOS Base Image",
"org.label-schema.schema-version": "1.0",
"org.label-schema.vendor": "CentOS"
}
},
"Architecture": "amd64",
"Os": "linux",
"Size": 209348104,
"VirtualSize": 209348104,
"GraphDriver": {
"Data": {
"MergedDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/merged",
"UpperDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/diff",
"WorkDir": "/var/lib/docker/overlay2/b00d5e71c0d806b0e6ea37e6cea7ec64752b5fde9c715dee78e070132a5cac8d/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:2653d992f4ef2bfd27f94db643815aa567240c37732cae1405ad1c1309ee9859"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
[root@ip-192-168-114-198 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos latest 300e315adb2f 3 weeks ago 209MB
[root@ip-192-168-114-198 ~]#skopeo inspect는 docker inspect와 다르게 모든 태그를 함께 보여준다는 이점이 있다.
2. buildah build
(Dockerfile 작성 > buildah bud > podman run > podman exec)
[root@ip-192-168-114-198 ~]# curl -s -o Dockerfile https://raw.githubusercontent.com/ajacocks/Dockerfile_fedora-postgres/master/Dockerfile_fedora-postgres
[root@ip-192-168-114-198 ~]# cat Dockerfile
FROM docker.io/library/fedora:latest
MAINTAINER alexander@redhat.com
RUN yum install -y postgresql-server
USER postgres
RUN /bin/initdb -D /var/lib/pgsql/data
RUN /usr/bin/pg_ctl start -D /var/lib/pgsql/data -s -o "-p 5432" -w -t 300 &&\
/bin/psql --command "CREATE USER docker WITH SUPERUSER PASSWORD 'docker';" &&\
/bin/createdb -O docker docker
RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/pgsql/data/pg_hba.conf
RUN echo "listen_addresses='*'" >> /var/lib/pgsql/data/postgresql.conf
EXPOSE 5432
CMD ["/bin/postgres", "-D", "/var/lib/pgsql/data", "-c", "config_file=/var/lib/pgsql/data/postgresql.conf"]
[root@ip-192-168-114-198 ~]# mkdir build; mv Dockerfile build/Dockerfile; cd build
[root@ip-192-168-114-198 build]# buildah bud -t fedora_postgresql .
STEP 1: FROM docker.io/library/fedora:latest
STEP 2: MAINTAINER alexander@redhat.com
STEP 3: RUN yum install -y postgresql-server
Fedora 33 openh264 (From Cisco) - x86_64 2.2 kB/s | 2.5 kB 00:01
Fedora Modular 33 - x86_64 2.2 MB/s | 3.3 MB 00:01
Fedora Modular 33 - x86_64 - Updates 1.6 MB/s | 2.9 MB 00:01
Fedora 33 - x86_64 - Updates 4.2 MB/s | 20 MB 00:04
Fedora 33 - x86_64 2.1 MB/s | 72 MB 00:34
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
postgresql-server x86_64 12.4-3.fc33 updates 5.8 M
Installing dependencies:
acl x86_64 2.2.53-9.fc33 fedora 72 k
cryptsetup-libs x86_64 2.3.4-1.fc33 fedora 476 k
dbus x86_64 1:1.12.20-2.fc33 fedora 9.9 k
dbus-broker x86_64 24-1.fc33 fedora 169 k
dbus-common noarch 1:1.12.20-2.fc33 fedora 17 k
device-mapper x86_64 1.02.173-1.fc33 fedora 142 k
device-mapper-libs x86_64 1.02.173-1.fc33 fedora 178 k
hwdata noarch 0.341-1.fc33 updates 1.4 M
iptables-libs x86_64 1.8.5-4.fc33 updates 367 k
kmod-libs x86_64 27-3.fc33 fedora 63 k
libargon2 x86_64 20171227-5.fc33 fedora 29 k
libcbor x86_64 0.5.0-7.fc33 fedora 46 k
libfido2 x86_64 1.4.0-3.fc33 fedora 66 k
libibverbs x86_64 32.0-1.fc33 updates 333 k
libicu x86_64 67.1-4.fc33 fedora 9.7 M
libmnl x86_64 1.0.4-12.fc33 fedora 28 k
libnetfilter_conntrack x86_64 1.0.7-5.fc33 fedora 62 k
libnfnetlink x86_64 1.0.1-18.fc33 fedora 29 k
libnl3 x86_64 3.5.0-5.fc33 fedora 325 k
libpcap x86_64 14:1.9.1-6.fc33 updates 173 k
libpq x86_64 12.4-1.fc33 fedora 207 k
libseccomp x86_64 2.5.0-3.fc33 fedora 72 k
pciutils x86_64 3.6.4-2.fc33 fedora 90 k
pciutils-libs x86_64 3.6.4-2.fc33 fedora 41 k
postgresql x86_64 12.4-3.fc33 updates 1.4 M
qrencode-libs x86_64 4.0.2-6.fc33 fedora 60 k
rdma-core x86_64 32.0-1.fc33 updates 56 k
systemd x86_64 246.6-3.fc33 fedora 4.0 M
systemd-pam x86_64 246.6-3.fc33 fedora 308 k
systemd-rpm-macros noarch 246.6-3.fc33 fedora 29 k
xkeyboard-config noarch 2.30-3.fc33 fedora 749 k
Installing weak dependencies:
diffutils x86_64 3.7-7.fc33 updates 390 k
libxkbcommon x86_64 1.0.1-1.fc33 fedora 134 k
systemd-networkd x86_64 246.6-3.fc33 fedora 467 k
Transaction Summary
================================================================================
Install 35 Packages
Total download size: 28 M
Installed size: 100 M
Downloading Packages:
(1/35): iptables-libs-1.8.5-4.fc33.x86_64.rpm 8.4 MB/s | 367 kB 00:00
(2/35): hwdata-0.341-1.fc33.noarch.rpm 22 MB/s | 1.4 MB 00:00
(3/35): libibverbs-32.0-1.fc33.x86_64.rpm 7.7 MB/s | 333 kB 00:00
(4/35): diffutils-3.7-7.fc33.x86_64.rpm 256 kB/s | 390 kB 00:01
(5/35): libpcap-1.9.1-6.fc33.x86_64.rpm 112 kB/s | 173 kB 00:01
(6/35): rdma-core-32.0-1.fc33.x86_64.rpm 6.0 MB/s | 56 kB 00:00
(7/35): postgresql-server-12.4-3.fc33.x86_64.rp 5.3 MB/s | 5.8 MB 00:01
(8/35): acl-2.2.53-9.fc33.x86_64.rpm 68 kB/s | 72 kB 00:01
(9/35): dbus-1.12.20-2.fc33.x86_64.rpm 45 kB/s | 9.9 kB 00:00
(10/35): dbus-broker-24-1.fc33.x86_64.rpm 188 kB/s | 169 kB 00:00
(11/35): cryptsetup-libs-2.3.4-1.fc33.x86_64.rp 283 kB/s | 476 kB 00:01
(12/35): dbus-common-1.12.20-2.fc33.noarch.rpm 20 kB/s | 17 kB 00:00
(13/35): device-mapper-libs-1.02.173-1.fc33.x86 388 kB/s | 178 kB 00:00
(14/35): kmod-libs-27-3.fc33.x86_64.rpm 239 kB/s | 63 kB 00:00
(15/35): device-mapper-1.02.173-1.fc33.x86_64.r 107 kB/s | 142 kB 00:01
(16/35): libargon2-20171227-5.fc33.x86_64.rpm 34 kB/s | 29 kB 00:00
(17/35): libcbor-0.5.0-7.fc33.x86_64.rpm 72 kB/s | 46 kB 00:00
(18/35): libfido2-1.4.0-3.fc33.x86_64.rpm 289 kB/s | 66 kB 00:00
(19/35): libmnl-1.0.4-12.fc33.x86_64.rpm 33 kB/s | 28 kB 00:00
(20/35): libnetfilter_conntrack-1.0.7-5.fc33.x8 97 kB/s | 62 kB 00:00
(21/35): libnfnetlink-1.0.1-18.fc33.x86_64.rpm 68 kB/s | 29 kB 00:00
(22/35): libicu-67.1-4.fc33.x86_64.rpm 3.3 MB/s | 9.7 MB 00:02
(23/35): libnl3-3.5.0-5.fc33.x86_64.rpm 219 kB/s | 325 kB 00:01
(24/35): libseccomp-2.5.0-3.fc33.x86_64.rpm 326 kB/s | 72 kB 00:00
(25/35): postgresql-12.4-3.fc33.x86_64.rpm 148 kB/s | 1.4 MB 00:10
(26/35): libxkbcommon-1.0.1-1.fc33.x86_64.rpm 586 kB/s | 134 kB 00:00
(27/35): pciutils-3.6.4-2.fc33.x86_64.rpm 406 kB/s | 90 kB 00:00
(28/35): libpq-12.4-1.fc33.x86_64.rpm 140 kB/s | 207 kB 00:01
(29/35): pciutils-libs-3.6.4-2.fc33.x86_64.rpm 64 kB/s | 41 kB 00:00
(30/35): qrencode-libs-4.0.2-6.fc33.x86_64.rpm 58 kB/s | 60 kB 00:01
(31/35): systemd-246.6-3.fc33.x86_64.rpm 2.1 MB/s | 4.0 MB 00:01
(32/35): systemd-networkd-246.6-3.fc33.x86_64.r 269 kB/s | 467 kB 00:01
(33/35): systemd-pam-246.6-3.fc33.x86_64.rpm 209 kB/s | 308 kB 00:01
(34/35): systemd-rpm-macros-246.6-3.fc33.noarch 131 kB/s | 29 kB 00:00
(35/35): xkeyboard-config-2.30-3.fc33.noarch.rp 1.5 MB/s | 749 kB 00:00
--------------------------------------------------------------------------------
Total 1.9 MB/s | 28 MB 00:14
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : libpq-12.4-1.fc33.x86_64 1/35
Installing : libnl3-3.5.0-5.fc33.x86_64 2/35
Installing : kmod-libs-27-3.fc33.x86_64 3/35
Installing : postgresql-12.4-3.fc33.x86_64 4/35
Installing : xkeyboard-config-2.30-3.fc33.noarch 5/35
Installing : libxkbcommon-1.0.1-1.fc33.x86_64 6/35
Installing : systemd-rpm-macros-246.6-3.fc33.noarch 7/35
Installing : qrencode-libs-4.0.2-6.fc33.x86_64 8/35
Installing : pciutils-libs-3.6.4-2.fc33.x86_64 9/35
Installing : libseccomp-2.5.0-3.fc33.x86_64 10/35
Installing : libnfnetlink-1.0.1-18.fc33.x86_64 11/35
Installing : libmnl-1.0.4-12.fc33.x86_64 12/35
Installing : libnetfilter_conntrack-1.0.7-5.fc33.x86_64 13/35
Installing : libicu-67.1-4.fc33.x86_64 14/35
Installing : libcbor-0.5.0-7.fc33.x86_64 15/35
Installing : libfido2-1.4.0-3.fc33.x86_64 16/35
Installing : libargon2-20171227-5.fc33.x86_64 17/35
Installing : acl-2.2.53-9.fc33.x86_64 18/35
Installing : hwdata-0.341-1.fc33.noarch 19/35
Installing : pciutils-3.6.4-2.fc33.x86_64 20/35
Installing : rdma-core-32.0-1.fc33.x86_64 21/35
Running scriptlet: rdma-core-32.0-1.fc33.x86_64 21/35
Installing : libibverbs-32.0-1.fc33.x86_64 22/35
Installing : libpcap-14:1.9.1-6.fc33.x86_64 23/35
Installing : iptables-libs-1.8.5-4.fc33.x86_64 24/35
Installing : diffutils-3.7-7.fc33.x86_64 25/35
Installing : device-mapper-1.02.173-1.fc33.x86_64 26/35
Installing : device-mapper-libs-1.02.173-1.fc33.x86_64 27/35
Installing : cryptsetup-libs-2.3.4-1.fc33.x86_64 28/35
Installing : dbus-1:1.12.20-2.fc33.x86_64 29/35
Installing : systemd-networkd-246.6-3.fc33.x86_64 30/35
Installing : systemd-pam-246.6-3.fc33.x86_64 31/35
Running scriptlet: systemd-246.6-3.fc33.x86_64 32/35
Installing : systemd-246.6-3.fc33.x86_64 32/35
Running scriptlet: systemd-246.6-3.fc33.x86_64 32/35
ln: failed to create symbolic link '/etc/resolv.conf': Device or resource busy
warning: %post(systemd-246.6-3.fc33.x86_64) scriptlet failed, exit status 1
Error in POSTIN scriptlet in rpm package systemd
Installing : dbus-common-1:1.12.20-2.fc33.noarch 33/35
Running scriptlet: dbus-common-1:1.12.20-2.fc33.noarch 33/35
Created symlink /etc/systemd/system/sockets.target.wants/dbus.socket → /usr/lib/systemd/system/dbus.socket.
Created symlink /etc/systemd/user/sockets.target.wants/dbus.socket → /usr/lib/systemd/user/dbus.socket.
Running scriptlet: dbus-broker-24-1.fc33.x86_64 34/35
Installing : dbus-broker-24-1.fc33.x86_64 34/35
Running scriptlet: dbus-broker-24-1.fc33.x86_64 34/35
Created symlink /etc/systemd/system/dbus.service → /usr/lib/systemd/system/dbus-broker.service.
Created symlink /etc/systemd/user/dbus.service → /usr/lib/systemd/user/dbus-broker.service.
Running scriptlet: postgresql-server-12.4-3.fc33.x86_64 35/35
Installing : postgresql-server-12.4-3.fc33.x86_64 35/35
Running scriptlet: postgresql-server-12.4-3.fc33.x86_64 35/35
Verifying : diffutils-3.7-7.fc33.x86_64 1/35
Verifying : hwdata-0.341-1.fc33.noarch 2/35
Verifying : iptables-libs-1.8.5-4.fc33.x86_64 3/35
Verifying : libibverbs-32.0-1.fc33.x86_64 4/35
Verifying : libpcap-14:1.9.1-6.fc33.x86_64 5/35
Verifying : postgresql-12.4-3.fc33.x86_64 6/35
Verifying : postgresql-server-12.4-3.fc33.x86_64 7/35
Verifying : rdma-core-32.0-1.fc33.x86_64 8/35
Verifying : acl-2.2.53-9.fc33.x86_64 9/35
Verifying : cryptsetup-libs-2.3.4-1.fc33.x86_64 10/35
Verifying : dbus-1:1.12.20-2.fc33.x86_64 11/35
Verifying : dbus-broker-24-1.fc33.x86_64 12/35
Verifying : dbus-common-1:1.12.20-2.fc33.noarch 13/35
Verifying : device-mapper-1.02.173-1.fc33.x86_64 14/35
Verifying : device-mapper-libs-1.02.173-1.fc33.x86_64 15/35
Verifying : kmod-libs-27-3.fc33.x86_64 16/35
Verifying : libargon2-20171227-5.fc33.x86_64 17/35
Verifying : libcbor-0.5.0-7.fc33.x86_64 18/35
Verifying : libfido2-1.4.0-3.fc33.x86_64 19/35
Verifying : libicu-67.1-4.fc33.x86_64 20/35
Verifying : libmnl-1.0.4-12.fc33.x86_64 21/35
Verifying : libnetfilter_conntrack-1.0.7-5.fc33.x86_64 22/35
Verifying : libnfnetlink-1.0.1-18.fc33.x86_64 23/35
Verifying : libnl3-3.5.0-5.fc33.x86_64 24/35
Verifying : libpq-12.4-1.fc33.x86_64 25/35
Verifying : libseccomp-2.5.0-3.fc33.x86_64 26/35
Verifying : libxkbcommon-1.0.1-1.fc33.x86_64 27/35
Verifying : pciutils-3.6.4-2.fc33.x86_64 28/35
Verifying : pciutils-libs-3.6.4-2.fc33.x86_64 29/35
Verifying : qrencode-libs-4.0.2-6.fc33.x86_64 30/35
Verifying : systemd-246.6-3.fc33.x86_64 31/35
Verifying : systemd-networkd-246.6-3.fc33.x86_64 32/35
Verifying : systemd-pam-246.6-3.fc33.x86_64 33/35
Verifying : systemd-rpm-macros-246.6-3.fc33.noarch 34/35
Verifying : xkeyboard-config-2.30-3.fc33.noarch 35/35
Installed:
acl-2.2.53-9.fc33.x86_64
cryptsetup-libs-2.3.4-1.fc33.x86_64
dbus-1:1.12.20-2.fc33.x86_64
dbus-broker-24-1.fc33.x86_64
dbus-common-1:1.12.20-2.fc33.noarch
device-mapper-1.02.173-1.fc33.x86_64
device-mapper-libs-1.02.173-1.fc33.x86_64
diffutils-3.7-7.fc33.x86_64
hwdata-0.341-1.fc33.noarch
iptables-libs-1.8.5-4.fc33.x86_64
kmod-libs-27-3.fc33.x86_64
libargon2-20171227-5.fc33.x86_64
libcbor-0.5.0-7.fc33.x86_64
libfido2-1.4.0-3.fc33.x86_64
libibverbs-32.0-1.fc33.x86_64
libicu-67.1-4.fc33.x86_64
libmnl-1.0.4-12.fc33.x86_64
libnetfilter_conntrack-1.0.7-5.fc33.x86_64
libnfnetlink-1.0.1-18.fc33.x86_64
libnl3-3.5.0-5.fc33.x86_64
libpcap-14:1.9.1-6.fc33.x86_64
libpq-12.4-1.fc33.x86_64
libseccomp-2.5.0-3.fc33.x86_64
libxkbcommon-1.0.1-1.fc33.x86_64
pciutils-3.6.4-2.fc33.x86_64
pciutils-libs-3.6.4-2.fc33.x86_64
postgresql-12.4-3.fc33.x86_64
postgresql-server-12.4-3.fc33.x86_64
qrencode-libs-4.0.2-6.fc33.x86_64
rdma-core-32.0-1.fc33.x86_64
systemd-246.6-3.fc33.x86_64
systemd-networkd-246.6-3.fc33.x86_64
systemd-pam-246.6-3.fc33.x86_64
systemd-rpm-macros-246.6-3.fc33.noarch
xkeyboard-config-2.30-3.fc33.noarch
Complete!
STEP 4: USER postgres
STEP 5: RUN /bin/initdb -D /var/lib/pgsql/data
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
The database cluster will be initialized with locale "C".
The default database encoding has accordingly been set to "SQL_ASCII".
The default text search configuration will be set to "english".
Data page checksums are disabled.
fixing permissions on existing directory /var/lib/pgsql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
Success. You can now start the database server using:
/bin/pg_ctl -D /var/lib/pgsql/data -l logfile start
STEP 6: RUN /usr/bin/pg_ctl start -D /var/lib/pgsql/data -s -o "-p 5432" -w -t 300 && /bin/psql --command "CREATE USER docker WITH SUPERUSER PASSWORD 'docker';" && /bin/createdb -O docker docker
2020-12-30 06:27:01.868 UTC [8] LOG: starting PostgreSQL 12.4 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 10.2.1 20200826 (Red Hat 10.2.1-3), 64-bit
2020-12-30 06:27:01.869 UTC [8] LOG: listening on IPv4 address "127.0.0.1", port 5432
2020-12-30 06:27:01.875 UTC [8] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2020-12-30 06:27:01.877 UTC [8] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2020-12-30 06:27:01.890 UTC [8] LOG: redirecting log output to logging collector process
2020-12-30 06:27:01.890 UTC [8] HINT: Future log output will appear in directory "log".
CREATE ROLE
STEP 7: RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/pgsql/data/pg_hba.conf
STEP 8: RUN echo "listen_addresses='*'" >> /var/lib/pgsql/data/postgresql.conf
STEP 9: EXPOSE 5432
STEP 10: CMD ["/bin/postgres", "-D", "/var/lib/pgsql/data", "-c", "config_file=/var/lib/pgsql/data/postgresql.conf"]
STEP 11: COMMIT fedora_postgresql
ERRO Can't add file /var/lib/containers/storage/overlay/2ec1e57fc66975c98f91211226ca3d67b9998825a477fd7ac491ea3519f2c469/diff/run/postgresql/.s.PGSQL.5432 to tar: archive/tar: sockets not supported
ERRO Can't add file /var/lib/containers/storage/overlay/2ec1e57fc66975c98f91211226ca3d67b9998825a477fd7ac491ea3519f2c469/diff/tmp/.s.PGSQL.5432 to tar: archive/tar: sockets not supported
Getting image source signatures
Copying blob ed0c36ccfcbe skipped: already exists
Copying blob 923ca1312650 done
Copying config fa1d77857a done
Writing manifest to image destination
Storing signatures
--> fa1d77857a8
fa1d77857a81bf978c54f743996284105a7be6fc6bfe1805f80f8e56c82cffb1
[root@ip-192-168-114-198 build]# podman run -d --name fpg fedora_postgresql
98ab8261e40518fec5420a912ac62d66fc48d8fb49ad7e6407886b96a07bf74f
[root@ip-192-168-114-198 build]# podman exec -it fpg psql
psql (12.4)
Type "help" for help.
postgres=# buildah로 container image를 생성하고, podman으로 run/exec 등으로 image를 확인하는 과정을 거친다.
3. Container Registry
(podman login > podman images > buildah push or skopeo copy)
[root@ip-192-168-114-198 build]# podman login docker.io -u nara0617 -p dhfhskalsC! Login Succeeded! [root@ip-192-168-114-198 build]# podman images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/fedora_postgresql latest fa1d77857a81 4 minutes ago 542 MB localhost/nara0617/ubuntuechobuildah latest c14ac4084845 3 hours ago 75.3 MB localhost/nara0617/ubuntuecho latest a65de8136db3 3 hours ago 75.3 MB localhost/fedora-working-container latest 245f01352d01 23 hours ago 181 MB localhost/podmanbuilt latest 0989a71c8dee 25 hours ago 75.3 MB registry.centos.org/centos latest 2f3766df23b6 2 weeks ago 217 MB docker.io/library/ubuntu latest f643c72bc252 4 weeks ago 75.3 MB docker.io/library/fedora latest b3048463dcef 6 weeks ago 181 MB [root@ip-192-168-114-198 build]# buildah push fedora_postgresql:latest nara0617/fedora_postgresql:latest Getting image source signatures Copying blob 923ca1312650 done Copying blob ed0c36ccfcbe skipped: already exists Copying config fa1d77857a done Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 build]# skopeo copy containers-storage:fa1d77857a81 docker://nara0617/fedora_postgresql:latest Getting image source signatures Copying blob 923ca1312650 done Copying blob ed0c36ccfcbe done Copying config fa1d77857a [--------------------------------------] 0.0b / 2.7KiB Writing manifest to image destination Storing signatures [root@ip-192-168-114-198 build]#
마지막으로 생성되고 검증된 container image를 podman login으로 push할 registry에 로그인하고, buildah 또는 skopeo로 이미지를 저장소에 push할 수 있다. registry에 push 할 경우 skopeo가 buildah보다 좀 더 구체적으로 구성할 수 있다.
결론
Runtime Container 진영은 결국 Kubernetes에 가장 적합한 CRI는 무엇이냐로 결론지어질 것 같다. 현재까지는 당연히 Docker이고, 이에 이견이 있는 사람은 아직 많지 않을 것이다. 다만, OCI(Open Container Initiative)와 CRI(Container Runtime Interface)가 정의된 이후 Runtime Container를 정의하는 규칙이 생겨 남으로써 하나 둘씩 대안들이 떠오르고 있다. 특히 Docker의 단점을 보완한 버전으로써, 성장하고 있는 Runtime Container가 등장하고 있으며, Docker의 경우 Kubernetes를 위해 개발된 것이 아니라 Kubernetes에서 Docker를 지원하지만, CRI-O의 경우 Kubernetes 만을 위해 성생된 Runtime Container로 CRI-O에서 직접 Kubernetes 호환성을 관리하고 보완하기 한다는 장점이 있다. 또한 Podman, Buildah, Skopeo 등으로 세분화된 Low Level Container 컴포넌트를 활용하면 훌륭한 Docker의 대안으로써 성장하지 않을까 싶다.
728x90
반응형
'③ 클라우드 > ⓚ Kubernetes' 카테고리의 다른 글
| Kubeflow를 활용하여 머신러닝 분석환경 구축하기 (0) | 2021.01.19 |
|---|---|
| Kubernetes 환경변수 구성하기 (ConfigMap, Secret) (2) | 2021.01.03 |
| Knative로 K8S에서 Serverless Computing 구현하기 (0) | 2020.12.26 |
| Kubernetes CronJob 활용 (1) | 2020.09.27 |
| Kubernetes Init Container & PodInitializing 트러블슈팅 (2) | 2020.09.26 |
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
TAG
- git
- 마이크로서비스
- 마이크로서비스 아키텍처
- JEUS7
- wildfly
- node.js
- SWA
- webtob
- Da
- Architecture
- OpenStack
- SA
- Docker
- k8s
- JEUS6
- kubernetes
- JBoss
- aws
- API Gateway
- 오픈스택
- MSA
- openstack tenant
- aa
- 아키텍처
- apache
- nodejs
- jeus
- 쿠버네티스
- openstack token issue
- TA
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
글 보관함